New Word malware: FW: Meridian (Acc. No. 10072180) – Professional Fee Invoice

MX Lab,, started to intercept a new malware distribution campaign by email with the subject “FW: Meridian (Acc. No. 10072180) – Professional Fee Invoice”.

This email is send from the spoofed address “Tamika Leblanc <>” and has the following body:

GDear Sir/Madam,

Re: Meridian Professional Fees

Please find attached our fee note for services provided, which we trust meets with your approval.

Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.

We look forward to your remittance in due course.

Yours sincerely
Tamika Leblanc
Financial CEO

This email has been scanned by the Symantec Email service.
For more information please visit ______________________________________________________________________
The information in this email and any attachments are the property ofALTAVIA or its affiliates and may contain proprietary and confidential information that is intended for the addressee(s) only. If you are not the intended recipient, please refrain from any disclosure, copying, distribution, retention or use of this information. You are hereby notified that such actions are prohibited and could be illegal. If you have received this e-mail in error, please immediately contact the sender and delete the e-mail. We appreciate your cooperation. Email transmissions being not guaranteed, ALTAVIA and its affiliates decline their liability due to this email transmission, specifically when altered, modified or falsified.
Les informations contenues dans cet e-mail ainsi que les fichiers joints sont la propriété d’ALTAVIA et / ou ses filiales et peuvent être des informations confidentielles et privées qui sont adressées à l’attention de leur destinataire uniquement. Si vous n’êtes pas le destinataire du message merci de ne pas divulguer, copier, diffuser, conserver ou utiliser ces informations. Vous êtes par la présente notifié que ces agissements sont interdits et peuvent être illégaux. Si vous avez reçu cet e-mail par erreur, merci de prendre contact immédiatement avec l’expéditeur et de détruire cet e-mail. Nous vous remercions de votre coopération. La correspondance en ligne n’étant pas un moyen entièrement sécurisé, ALTAVIA et ses filiales déclinent toute responsabilité au titre de cette transmission, notamment si son contenu a été altéré, déformé ou falsifié.

This email has been scanned by the Symantec Email service.
For more information please visit

The attached file invoice10072180.doc is a Word file with malicious macro.

The malware is detected as HEUR(high).VBA.Trojan or CXmail/OleDl-A by 2 of the 54 AV engines at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 9168bea52ed22fbf46bb690c793fccdfec7c78998c983e10cbb4072e24138ff5

This email is already a variant on the previous malware campaign New Word malware: UKSM Invoice 12959596.